DRM (Digital Rights Management) is a way to protect digital content from unauthorized use. In a known scenario of a DRM application, as shown in FIG. 1, there are a couple of roles involved, named content provider device 101 (hereinafter referred to as CP), right issuer device 102 (hereinafter referred to as RI) and client device 103 (hereinafter referred to as CD). To buy (i.e. access/use . . . ) a piece of digital content, CD 103 first connects to CP 101 via a network 104 so as to get (by download online or by other offline methods) an encrypted version of said digital content. Then, CD 103 connects to RI 102 to make the payment and obtains a license data authorizing access to the digital content. A content key is included in the license data for decrypting the digital content. Usually, the license data is encrypted by RI 102 with the secret key of CD 103 so that only CD 103 can retrieve the content key to decrypt the digital content. In this scenario, the content key for decryption is shared between CP 101 and RI 102, and such a scenario is suitable in situations in which CP and RI are implemented by “parties” trusting each other (e.g. CP is implemented in a first entity, RI is implemented in a second entity, both of which are operated by a big company).
Publishing digital content by a person/individual or by a small company has its own features which are different from the scenario of publishing digital content by a big company. When a maker of content is a person or a small company, he can only play the role of CP, and often has a website/server to publish the content, but the maker of content has no capability to provide the DRM service and therefore has to seek a separate entity to act as RI. In this case, CP and RI are independent entities, i.e. they have their own interests and therefore do not necessarily trust each other. For example, RI would like to control how many protected copies CP has published and wants to charge the commission accordingly. CP would like to keep his own content from being accessed by RI.
Thus, there is a need to meet the requirements of both CP and RI when these are independent entities.